Hello, Attached is a pre version of proftpd login/logout/failure events and the samples I used. As usual, new application, new problems. The first problem is, that out of box proftpd uses its own log files instead of syslog. This poses a couple of problems: * it resembles syslog logs, but looking closer it is not * it does not have all the logs So for collecting logs I commented out the SystemLog line, so syslog is used, and also enabled anonymous ftp. I could not find a perfect message suitable for 'logout'. There are two related lines: proftpd[6848]: ubuntu (::ffff:192.168.2.179[::ffff:192.168.2.179]) - FTP session closed. But this is used any time a TCP/IP connection is closed, even when there was no actual login. And even if there was a login, it has no user information... proftpd: pam_unix(proftpd:session): session closed for user czanik This one has the user name, but no information at all about the session or IP address. What do you think? Could any of these be useful for creating name - value pairs? Also: if I discard some messages, like opening/closing a session, is it enough if I handle it with one rule (omitting checking the end of message) or it should be handled with two separate messages? And finally some self marketing, hoping that it might be useful some someone: please check my blog (URL in my signature), I have already have two blog posts about pattern writing. Please comment on them here on the mailing list, as if you find something problematic, it should be discussed, and without an additional blog comment login... Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/